Sample details: df76c4224821d6796cf48c67891b020b --

Hashes
MD5: df76c4224821d6796cf48c67891b020b
SHA1: 5713e80c7088d881b39179e9060fa5691784e024
SHA256: 6996498a783f924cb5736481000ccc3a5521a1dcbb2c17478100ab45ab42adfc
SSDEEP: 384:lpNwPgFVqHv4sTAMFFYxsXET+IT606u5tgu60tB86jfXPHMVzDCVqz:RwPQVSvFLusXE6a/At686jX/MV
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/UPX20030XMarkusOberhumerLaszloMolnarJohnReiser | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/escalate_priv | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/UPX | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Parent Files
a09fdcce6c749c1613be61a7c272d822
Source
Strings
		!This program cannot be run in DOS mode.
.rdata
@.data
expl.prot
httpcomm
serv.stub
host.opts.db
httpcomm.set
[F] cannot export %s
explorer.exe
svchost.exe
mian.nest.8.33
6122238763485615
(%s|%d|%d) %s%s%s
mian.maintenance.shairlock
mian.maintenance.dbgflag
[S] StaticDebug: Logsys started.
[F] StaticDebug: LogEvent failure.
[F] StaticDebug: Logfile failure.
%windir%\
[S] set name: %s
:*:Enabled:@xpsp2res.dll,-22019
[F] warning: cannot bps wf: %d
KERNEL32.DLL
advapi32.dll
SHELL32.dll
user32.dll
FlushFileBuffers
GetCurrentProcess
ExitThread
GetFileSize
GetModuleFileNameA
InitializeCriticalSection
LeaveCriticalSection
ReleaseMutex
EnterCriticalSection
ExitProcess
DeleteFileA
SetFilePointer
WaitForSingleObject
CloseHandle
lstrcatA
lstrcpyA
lstrlenA
DeleteCriticalSection
CreateThread
CreateEventA
CreateProcessA
CreateMutexA
CreateFileA
SetEvent
RtlMoveMemory
SearchPathA
WriteFile
GetDateFormatA
GetTimeZoneInformation
FileTimeToSystemTime
GetSystemTime
GetTimeFormatA
lstrcpynA
SystemTimeToFileTime
RegFlushKey
RegOpenKeyA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCreateKeyA
RegSetValueExA
ShellExecuteA
wsprintfA
[INSTALLER]
:afgh 
sleep 1
del  %1
if  exist %1 goto afgh
del  %0
uninstall.bat
SeDebugPrivilege
SeCreateGlobalPrivilege
!This program cannot be run in DOS mode.
dm65}LT
A&k2`P
)-M [*
iDivFF
\h"Afxv
 =7hl4Ld
Z)|u$ H
^LYq!ax
WQx  [2m
eydH Cv
|*U2_:
nY@!!L`u
\/(|^B
&=vXeD
<a$G")
<;t <,X'y
	x4K V
"M	6K\H@
%;zt=11%|
R*~8tX
e@r#%tW
tx####(
 $####,048####<@DH####LPTX####\`dh####lp
explorer.
svchost
mian.ne
38763485
z(%s|%d
8mainten	ce.sh
dbgflag
[S] StaticDebug: Logsys 
n-d. FEvGtv
e!Husp6d
g all th
d 0x%xIwxn$Ego
ncno,c
get's;)i
%bN#mT[
|l32"!
MAF.ezeP,
Code9;
ry=Ii>
w`*wI'"t
4Vxtbng
pZd7dr
A. =-off
jectDLL
Z0eRPARSTRUCT:
VJP)JSimp
1iur00t
pcum.&
3q7]mas
aNING:veF
1s:|Ir
- i %C
1tysMf
i;LbH\
lee#'%
VM*yuK
MRCR}EOF1-
']EMBR]
&H"_k0
ad.fU 67#a,
URMupwem
MwTj	-
k"'SC"
[.S_Kpo
/old{ABS8\*	M^if/
MPLfENTEDml
 CqSAG
v%POST
HTTP/1.0>d
1TMCERTf]v8pby
rIxs0 
U*UMT*#d
s\l#eX
Z_MG-F3\
m_DM9F,e
xhDLGrD
tt/FW,Z
=AaB03xh
PTIONA
[NEST]
VcCfJce\
"*$: k
AIoolhelp32Snap
Flu0&B
!S#rchPKhDS
BndOf3
pH<Vuu*i
}ws{fA
 HuiR35
==_){H
f@.&K~
XPTPSW
KERNEL32.DLL
advapi32.dll
crypt32.dll
ole32.dll
user32.dll
wininet.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
OpenProcessToken
CryptProtectData
CoGetMalloc
wsprintfA
InternetOpenA
mian.dll
Execute
!This program cannot be run in DOS mode.
j}"vj66a
<S8lh.
VWQSRw
Z[Y_^!
2222P`d\
explorer.
mian.ne
38763485
g8mainten	ce.sh
dbgflag
[S] St
aticDebug: Logsys 
l FEvGt fPl
adLibr
x9wspr
fA}IRun
7XCEPTIONq
[ULOADER]
`gC?.370
Flush&Buffer
Reles}
rchPvhA
lo2Hand
^Forlng
Objec1Wri
TimeZoneInf
Lpg&A8
.rd`a'
XPTPSW
KERNEL32.DLL
user32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
wsprintfA
CurrentVersion
SOFTWARE
Windows
SoundMan
SOUNDMAN.EXE
Microsoft
Cold icy\St
SomeAccess
MEM\Curr
CallPol
CONSYST
RentCont
Poles\Sh
Pile\Auth
Abgrt\Param
DrolSet\S
MotorizedApp
Nervic
FlaredA
Delications\List
10 Meters\F
eronikirew
Kaandar
OddProfi